Flashback malware for Mac changes infection tactic

A new variant of the password-stealing Flashback malware aimed at Apple computers has emerged, which tries to install itself after a user visits an infected website, according to new research.

Flashback, discovered by security vendor Intego last September, is engineered to steal passwords for websites, including financial sites. Since its emergence, several variants have appeared showing its authors’ innovation.

The first version of Flashback tried to trick users into installing it by masquerading as Adobe’s Flash Player. Later versions checked to see if the Apple computer in question had an unpatched version of Java with two software vulnerabilities.

If the computer was running unpatched Java, Flashback automatically installed itself. If the Java attack didn’t work, Flashback then presented itself as an Apple update with a self-signed security certificate.

The latest “Flashback.N” version spotted by Intego tries to infect the computer after a person has visited an infected web page. The tactic is often referred to as a drive-by download. Much of the drive-by download malware for Windows can infect a computer without any action by the user merely by visiting the tampered website.

Users get a bit more warning with Flashback.N. Upon hitting the infected website, Flashback.N shows a “Software Update” dialogue box similar to the legitimate Apple one and asks for a user’s password.

On its blog, Intego described the installation procedure as “somewhat odd,” as the website, that has been rigged to deliver the malware, displays Apple’s multicoloured spinning gear for a while before the dialogue box appears. Flashback then injects itself into the Safari browser and starts sniffing data traffic for passwords.

Earlier this week, Intego found that Flashback was using Twitter as a command-and-control mechanism. Other botnets have also used Twitter to post commands or directions to new commands.

Flashback queries Twitter for 12-character hashtag composed of seemingly random characters, according to an Intego blog post. The strings are actually generated using 128-bit RC4 encryption and are composed of four characters for the day, four for the month and four for the year.